- From: Emily Stark <notifications@github.com>
- Date: Wed, 20 Mar 2019 21:02:10 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 21 March 2019 04:02:32 UTC
estark37 commented on this pull request. > + +<p>Remove components that may provide opportunities for spoofing or distract from security-relevant +information: + +<ul> + <li><p>Browsers are encouraged to only render a URL’s <a for=url>host</a> in places where it is + important for users to distinguish between the host and other parts of the URL such as the <a + for=url>path</a>. Browsers may further consider rendering only the URL’s host's <a + for=host>registrable domain</a> to remove spoofing opportunities posed by subdomains (e.g., + <code>https://examplecorp.attacker.com/</code>). + + <li><p>A <a for=/>URL</a>'s <a for=url>username</a> and <a for=url>password</a> should not be + rendered as they can be mistaken for a <a for=/>URL</a>'s <a for=url>host</a> (as in, e.g., + <code>https://examplecorp.com@attacker.example/</code>). + + <li><p>A URL can be rendered without its <a for=url>scheme</a> if the display surface only ever Done -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/434#discussion_r267620456
Received on Thursday, 21 March 2019 04:02:32 UTC